Re: [ANNOUNCE] nf-hipac v0.8 released

From: Michael Bellion and Thomas Heinz (
Date: Wed Jul 02 2003 - 11:57:32 EST

Hi Pádraig

You wrote:
> I was testing with 64 byte packets (so around 190Kpps). e100 cards at
> least have a handy mode for continually sending a packet as fast as
> possible. Also you can use more than one interface.

Yes, that's true. When we did the performance tests we had in mind to
compare the worst case behaviour of nf-hipac and iptables.
Therefore we designed a ruleset which models the worst case for both
iptables and nf-hipac. Of course, the test environment could have been
tuned a lot more, e.g. udp instead of tcp, FORWARD chain instead of
INPUT, tuned network parameters, more interfaces etc.

Anyway, we prefer independent, more sophisticated performance tests.

>>> # ./readprofile -m /boot/ | sort -nr | head -30
>>> 6779 total 0.0047
>>> 4441 default_idle 69.3906
>>> 787 handle_IRQ_event 7.0268
>>> 589 ip_packet_match 1.6733
>>> 433 ipt_do_table 0.6294
>>> 106 eth_type_trans 0.5521
>>> [...]
> Confused me too. The system would lock up and start dropping
> packets after 125 rules. I.E. it would linearly degrade
> as more rules were added. I'm guessing there is a fixed
> interrupt overhead that is accounted for
> by default_idle?

Hm, but once the system starts to drop packets ip_packet_match and
ipt_do_table start to dominate the profile, don't they?


| Michael Bellion | Thomas Heinz |
| <> | <> |

